## AMENDMENTS TO THE CLAIMS:

Please cancel claims 1-18.

Please add the following new claims, claims 37-76.

1 37. (new) An apparatus comprising:

2

3

4

5

6 7

8

1

2

1

a configuration storage to store configuration settings to configure an access transaction generated by a processor having a first execution mode and a second execution mode, the configuration settings to define a protected memory area in a memory external to the processor that is accessible to the processor in the first execution mode and an un-protected memory area that is accessible to the processor in the second execution mode, wherein the processor in the second execution mode cannot access the protected memory area, the access transaction including access information;

- a protected memory zone in the protected memory area;
- 9 an un-protected memory zone in the un-protected memory area; and
- a memory zone access checking circuit coupled to the configuration storage to check the access transaction using at least one of the configuration settings and the access information to determine if the access transaction is valid.
  - 1 38. (new) The apparatus of claim 37 wherein the protected memory zone in the protected memory area includes at least one protected memory page.
  - 1 39. (new) The apparatus of claim 38 wherein the at least one protected memory page includes an applet page.
  - 1 40. (new) The apparatus of claim 38 wherein the at least one protected memory page includes an OS nub 2 page.
    - 41. (new) The apparatus of claim 38 wherein the at least one protected memory page includes a processor nub page.
      - 42. (new) The apparatus of claim 37 wherein the access information includes a physical address.
  - 1 43. (new) The apparatus of claim 42 further comprising an identifier that identifies a currently active 2 protected memory zone and that the processor is operating in the first execution mode.

| 1  | 44. (new) The apparatus of claim 43 wherein determining if the access transaction is valid further                |                                                                                                         |  |
|----|-------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|--|
| 2  | comprises determining if the physical address is within the currently active protected memory zone and if the     |                                                                                                         |  |
| 3  | 3 identifier is asserted.                                                                                         |                                                                                                         |  |
|    |                                                                                                                   |                                                                                                         |  |
| 1  | 45.                                                                                                               | (new) The apparatus of claim 43 wherein the multi-memory zone access checking circuit                   |  |
| 2  | comprises a memory zone detector to detect if the physical address is within the currently active protected       |                                                                                                         |  |
| 3  | memory zone                                                                                                       | such that the memory zone detector generates a memory zone matching signal.                             |  |
| 1  | 46.                                                                                                               | (new) The apparatus of claim 45 wherein the multi-memory zone access checking circuit further           |  |
| 2  | comprises an access grant generator coupled to the memory zone detector, the access grant generator generating    |                                                                                                         |  |
| 3  | an access grant signal if both the memory zone matching signal and identifier are asserted.                       |                                                                                                         |  |
| 1  | 47.                                                                                                               | (new) A method comprising:                                                                              |  |
| 2  | confi                                                                                                             | guring an access transaction generated by a processor having a first execution mode and a second        |  |
| 3  | execution mode;                                                                                                   |                                                                                                         |  |
| 4  | generating configuration settings to define a protected memory area in a memory external to the                   |                                                                                                         |  |
| 5  | processor that is accessible to the processor in the first execution mode and an un-protected memory area that is |                                                                                                         |  |
| 6  | accessible to the processor in the second execution mode, wherein the processor in the second execution mode      |                                                                                                         |  |
| 7  |                                                                                                                   |                                                                                                         |  |
| 8  | defin                                                                                                             | ing a protected memory zone in the protected memory area;                                               |  |
| 9  | defining an un-protected memory zone in the un-protected memory area; and                                         |                                                                                                         |  |
| 10 | check                                                                                                             | ring the access transaction using at least one of the configuration settings and the access information |  |
| 11 |                                                                                                                   | if the access transaction is valid.                                                                     |  |
| 1  | 48. (                                                                                                             | new) The method of claim 47 wherein the protected memory zone in the protected memory area              |  |
| 2  | `                                                                                                                 | ast one protected memory page.                                                                          |  |
|    |                                                                                                                   |                                                                                                         |  |
| 1  | 49. (                                                                                                             | new) The method of claim 48 wherein the at least one protected memory page includes an applet           |  |
| 2  | page.                                                                                                             |                                                                                                         |  |
|    |                                                                                                                   |                                                                                                         |  |
| 1  | 50. (                                                                                                             | new) The method of claim 48 wherein the at least one protected memory page includes an OS nub           |  |

2

page.

| 1           | 51. (new) The method of claim 48 wherein the at least one protected memory page includes a processor                                                                                                                                  |  |
|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| 2           | nub page.                                                                                                                                                                                                                             |  |
| 1           | 52. (new) The method of claim 47 wherein the access information includes a physical address.                                                                                                                                          |  |
| 1           | 53. (new) The method of claim 52 wherein an identifier is used to identify a currently active protected                                                                                                                               |  |
| 2           | memory zone and that the processor is operating in the first execution mode.                                                                                                                                                          |  |
| 1<br>2<br>3 | 54. (new) The method of claim 53 wherein determining if the access transaction is valid further comprises determining if the physical address is within the currently active protected memory zone and if the identifier is asserted. |  |
| 1           | 55. (new) The method of claim 53 further comprising detecting if the physical address is within the                                                                                                                                   |  |
| 2           | currently active protected memory zone such that a memory zone matching signal is generated.                                                                                                                                          |  |
| 1 2         | 56. (new) The method of claim 55 further comprising generating an access grant signal if both the memory zone matching signal and identifier are asserted.                                                                            |  |
| 1           | 57. (new) A machine-readable medium having stored thereon instructions, which when                                                                                                                                                    |  |
| 2           | executed by a machine, cause the machine to perform the following operations comprising:                                                                                                                                              |  |
| 3           | configuring an access transaction generated by a processor having a first execution mode and a second                                                                                                                                 |  |
| 4           | execution mode;                                                                                                                                                                                                                       |  |
| 5           | generating configuration settings to define a protected memory area in a memory external to the                                                                                                                                       |  |
| 6           | processor that is accessible to the processor in the first execution mode and an un-protected memory area that is                                                                                                                     |  |
| 7           | accessible to the processor in the second execution mode, wherein the processor in the second execution mode                                                                                                                          |  |
| 8           | cannot access the protected memory area, the access transaction including access information;                                                                                                                                         |  |
| 9           | defining a protected memory zone in the protected memory area;                                                                                                                                                                        |  |
| 10          | defining an un-protected memory zone in the un-protected memory area; and                                                                                                                                                             |  |
| 11          | checking the access transaction using at least one of the configuration settings and the access information                                                                                                                           |  |
| 12          | to determine if the access transaction is valid.                                                                                                                                                                                      |  |
| 1           | 58. (new) The machine-readable medium of claim 57 wherein the protected memory zone in the                                                                                                                                            |  |

protected memory area includes at least one protected memory page.

2

| 1 | 59. (new) The machine-readable medium of claim 58 wherein the at least one protected memory page                   |  |
|---|--------------------------------------------------------------------------------------------------------------------|--|
| 2 | includes an applet page.                                                                                           |  |
| 1 | 60. (new) The machine-readable medium of claim 58 wherein the at least one protected memory page                   |  |
| 2 | includes an OS nub page.                                                                                           |  |
| 1 | 61. (new) The machine-readable medium of claim 58 wherein the at least one protected memory page                   |  |
| 2 | includes a processor nub page.                                                                                     |  |
| 1 | 62. (new) The machine-readable medium of claim 57 wherein the access information includes a physical               |  |
| 2 | address.                                                                                                           |  |
| 1 | 63. (new) The machine-readable medium of claim 62 wherein an identifier is used to identify a currently            |  |
| 2 | active protected memory zone and that the processor is operating in the first execution mode.                      |  |
| 1 | 64. (new) The machine-readable medium of claim 63 wherein determining if the access transaction is                 |  |
| 2 | valid further comprises determining if the physical address is within the currently active protected memory zone   |  |
| 3 | and if the identifier is asserted.                                                                                 |  |
| 1 | 65. (new) The machine-readable medium of claim 63 further comprising detecting if the physical                     |  |
| 2 | address is within the currently active protected memory zone such that a memory zone matching signal is generated. |  |
|   | <b>8</b>                                                                                                           |  |
| 1 | 66. (new) The machine-readable medium of claim 65 further comprising generating an access grant                    |  |
| 2 | signal if both the memory zone matching signal and identifier are asserted.                                        |  |
| 1 | 67. (new) A system comprising:                                                                                     |  |
| 2 | a chipset;                                                                                                         |  |
| 3 | a memory coupled to the chipset;                                                                                   |  |
| 4 | a processor coupled to the chipset and the memory having an access manager, the processor having a first           |  |
| 5 | execution mode and a second execution mode, the processor generating an access transaction having access           |  |
| 6 | information, the access manager comprising:                                                                        |  |
| 7 | a configuration storage to store configuration settings to configure an access transaction generated by the        |  |
| 8 | processor, the configuration settings to define a protected memory area in a memory external to the processor that |  |

042390.P9654C -5- ETK/npe

| 9     | is accessible to the processor in the first execution mode and an un-protected memory area that is accessible to                                                                                                                      |  |  |
|-------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| 10    | the processor in the second execution mode, wherein the processor in the second execution mode cannot access                                                                                                                          |  |  |
| 11    | the protected memory area;                                                                                                                                                                                                            |  |  |
| 12    | a protected memory zone in the protected memory area;                                                                                                                                                                                 |  |  |
| 13    | an un-protected memory zone in the un-protected memory area; and                                                                                                                                                                      |  |  |
| 14    | a memory zone access checking circuit coupled to the configuration storage to check the access                                                                                                                                        |  |  |
| 15    | transaction using at least one of the configuration settings and the access information to determine if the access                                                                                                                    |  |  |
| 16    | transaction is valid.                                                                                                                                                                                                                 |  |  |
| 1     | 68. (new) The system of claim 67 wherein the protected memory zone in the protected memory area                                                                                                                                       |  |  |
| 2     | includes at least one protected memory page.                                                                                                                                                                                          |  |  |
| 1     | 69. (new) The system of claim 68 wherein the at least one protected memory page includes an applet                                                                                                                                    |  |  |
| 2     | page.                                                                                                                                                                                                                                 |  |  |
| 1     | 70. (new) The system of claim 68 wherein the at least one protected memory page includes an OS nub                                                                                                                                    |  |  |
| 2     | page.                                                                                                                                                                                                                                 |  |  |
| 1     | 71. (new) The system of claim 68 wherein the at least one protected memory page includes a processor                                                                                                                                  |  |  |
| 2     | nub page.                                                                                                                                                                                                                             |  |  |
| 1     | 72. (new) The system of claim 67 wherein the access information includes a physical address.                                                                                                                                          |  |  |
| 1     | 73. (new) The system of claim 72 further comprising an identifier that identifies a currently active                                                                                                                                  |  |  |
| 2     | protected memory zone and that the processor is operating in the first execution mode.                                                                                                                                                |  |  |
| 1 2 3 | 74. (new) The system of claim 73 wherein determining if the access transaction is valid further comprises determining if the physical address is within the currently active protected memory zone and if the identifier is asserted. |  |  |
|       |                                                                                                                                                                                                                                       |  |  |

a memory zone detector to detect if the physical address is within the currently active protected memory zone

such that the memory zone detector generates a memory zone matching signal.

1

2

3

75.

(new) The system of claim 73 wherein the multi-memory zone access checking circuit comprises

1 76. (new) The system of claim 75 wherein the multi-memory zone access checking circuit further comprises an access grant generator coupled to the memory zone detector, the access grant generator generating an access grant signal if both the memory zone matching signal and identifier are asserted.